If you run a Joomla or WordPress installation with mod_php, the following settings in the vhost configuration file or the "Apache directives" field in ISPConfig can be used to set a stricter security policy. This helps limit the impact of a possible hack to this website and protect the other sites on the server.
php_admin_value disable_functions "show_source system shell_exec passthru exec phpinfo popen proc_open" php_admin_flag allow_url_fopen Off php_admin_value session.save_path "/var/www/webXXX/phptmp/" php_admin_value open_basedir "/var/www/webXXX/:/tmp"
disable_functions disables functions that have a potential security impact e.g. because they allow the execution of external applications.
allow_url_fopen disables the ability to open files via an URL.
session.save_path sets the path where PHP stores its session files. For ISPConfig 2, the path is e.g. "/var/www/webXXX/phptmp/" and for ISPConfig 3 the path is like "/var/www/clients/client1/web1/tmp/" If you don't use ISPConfig, set this path to a directory which is writable for the webserver user. the directory should be unique for every website.
open_basedir sets the path where PHP scripts are allowed to open files. For ISPConfig 2, the path is like "/var/www/webXXX/" and for ISPConfig 3 the path is like "/var/www/clients/client1/web1/" If you don't use ISPConfig, set this path to the root directory of this vhost. With :/tmp we allow PHP scripts to use also the /tmp directory of the server.